1 files changed, 130 insertions, 105 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 434557f89..51a1e457d 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,121 +1,146 @@
-unreleased
-==========
+1.9a2 (2017-05-09)
+==================
 
 Backward Incompatibilities
 --------------------------
 
- - Following the Pyramid deprecation period (1.6 -> 1.8),
-   daemon support for pserve has been removed. This includes removing the
-   daemon commands (start, stop, restart, status) as well as the following
-   arguments:
-   --daemon --pid-file --log-file --monitor-restart --status --user --group
-   --stop-daemon
-
-   To run your server as a daemon you should use a process manager instead of
-   pserve.
-
-   See https://github.com/Pylons/pyramid/pull/2615
-
-- ``pcreate`` is now interactive by default. You will be prompted if it
-  a file already exists with different content. Previously if there were
-  similar files it would silently skip them unless you specified
-  ``--interactive`` or ``--overwrite``.
-  See https://github.com/Pylons/pyramid/pull/2775
-
-Features
---------
-
-- pcreate learned about --package-name to allow you to create a new project in
-  an existing folder with a different package name than the project name. See
-  https://github.com/Pylons/pyramid/pull/2783
-
-- The `_get_credentials` private method of `BasicAuthAuthenticationPolicy`
-  has been extracted into standalone function ``extract_http_basic_credentials`
-  in `pyramid.authentication` module, this function extracts HTTP Basic
-  credentials from a ``request`` object, and returns them as a named tuple.
-  See https://github.com/Pylons/pyramid/pull/2662
-
-- Pyramid 1.4 silently dropped a feature of the configurator that has been
-  restored. It's again possible for action discriminators to conflict across
-  different action orders.
-  See https://github.com/Pylons/pyramid/pull/2757
-
-- ``pyramid.paster.bootstrap`` and its sibling ``pyramid.scripting.prepare``
-  can now be used as context managers to automatically invoke the ``closer``
-  and pop threadlocals off of the stack to prevent memory leaks.
-  See https://github.com/Pylons/pyramid/pull/2760
-
-- Added ``pyramid.config.Configurator.add_exception_view`` and the
-  ``pyramid.view.exception_view_config`` decorator. It is now possible using
-  these methods or via the new ``exception_only=True`` option to ``add_view``
-  to add a view which will only be matched when handling an exception.
-  Previously any exception views were also registered for a traversal
-  context that inherited from the exception class which prevented any
-  exception-only optimizations.
-  See https://github.com/Pylons/pyramid/pull/2660
-
-- Added the ``exception_only`` boolean to
-  ``pyramid.interfaces.IViewDeriverInfo`` which can be used by view derivers
-  to determine if they are wrapping a view which only handles exceptions.
-  This means that it is no longer necessary to perform request-time checks
-  for ``request.exception`` to determine if the view is handling an exception
-  - the pipeline can be optimized at config-time.
-  See https://github.com/Pylons/pyramid/pull/2660
-
-- ``pserve`` should now work with ``gevent`` and other workers that need
-  to monkeypatch the process, assuming the server and / or the app do so
-  as soon as possible before importing the rest of pyramid.
-  See https://github.com/Pylons/pyramid/pull/2797
+- ``request.exception`` and ``request.exc_info`` will only be set if the
+  response was generated by the EXCVIEW tween. This is to avoid any confusion
+  where a response was generated elsewhere in the pipeline and not in
+  direct relation to the original exception. If anyone upstream wants to
+  catch and render responses for exceptions they should set
+  ``request.exception`` and ``request.exc_info`` themselves to indicate
+  the exception that was squashed when generating the response.
+
+  Similar behavior occurs with ``request.invoke_exception_view`` in which
+  the exception properties are set to reflect the exception if a response
+  is successfully generated by the method.
+
+  This is a very minor incompatibility. Most tweens right now would give
+  priority to the raised exception and ignore ``request.exception``. This
+  change just improves and clarifies that bookkeeping by trying to be
+  more clear about the relationship between the response and its squashed
+  exception. See https://github.com/Pylons/pyramid/pull/3029 and
+  https://github.com/Pylons/pyramid/pull/3031
+
+1.9a1 (2017-05-01)
+==================
+
+Major Features
+--------------
+
+- The file format used by all ``p*`` command line scripts such as ``pserve``
+  and ``pshell``, as well as the ``pyramid.paster.bootstrap`` function
+  is now replaceable thanks to a new dependency on
+  `plaster <http://docs.pylonsproject.org/projects/plaster/en/latest/>`_.
+
+  For now, Pyramid is still shipping with integrated support for the
+  PasteDeploy INI format by depending on the
+  `plaster_pastedeploy <https://github.com/Pylons/plaster_pastedeploy>`_
+  binding library. This may change in the future.
+
+  See https://github.com/Pylons/pyramid/pull/2985
+
+- Added an execution policy hook to the request pipeline. An execution
+  policy has the ability to control creation and execution of the request
+  objects before they enter the rest of the pipeline. This means for a single
+  request environ the policy may create more than one request object.
+
+  The first library to use this feature is
+  `pyramid_retry
+  <http://docs.pylonsproject.org/projects/pyramid-retry/en/latest/>`_.
+
+  See https://github.com/Pylons/pyramid/pull/2964
+
+- CSRF support has been refactored out of sessions and into its own
+  independent API in the ``pyramid.csrf`` module. It supports a pluggable
+  ``pyramid.interfaces.ICSRFStoragePolicy`` which can be used to define your
+  own mechanism for generating and validating CSRF tokens. By default,
+  Pyramid continues to use the ``pyramid.csrf.LegacySessionCSRFStoragePolicy``
+  that uses the ``request.session.get_csrf_token`` and
+  ``request.session.new_csrf_token`` APIs under the hood to preserve
+  compatibility. Two new policies are shipped as well,
+  ``pyramid.csrf.SessionCSRFStoragePolicy`` and
+  ``pyramid.csrf.CookieCSRFStoragePolicy`` which will store the CSRF tokens
+  in the session and in a standalone cookie, respectively. The storage policy
+  can be changed by using the new
+  ``pyramid.config.Configurator.set_csrf_storage_policy`` config directive.
+
+  CSRF tokens should be used via the new ``pyramid.csrf.get_csrf_token``,
+  ``pyramid.csrf.new_csrf_token`` and ``pyramid.csrf.check_csrf_token`` APIs
+  in order to continue working if the storage policy is changed. Also, the
+  ``pyramid.csrf.get_csrf_token`` function is injected into templates to be
+  used conveniently in UI code.
+
+  See https://github.com/Pylons/pyramid/pull/2854 and
+  https://github.com/Pylons/pyramid/pull/3019
+
+Minor Features
+--------------
+
+- Support an ``open_url`` config setting in the ``pserve`` section of the
+  config file. This url is used to open a web browser when ``pserve --browser``
+  is invoked. When this setting is unavailable the ``pserve`` script will
+  attempt to guess the port the server is using from the
+  ``server:<server_name>`` section of the config file but there is no
+  requirement that the server is being run in this format so it may fail.
+  See https://github.com/Pylons/pyramid/pull/2984
+
+- The ``pyramid.config.Configurator`` can now be used as a context manager
+  which will automatically push/pop threadlocals (similar to
+  ``config.begin()`` and ``config.end()``). It will also automatically perform
+  a ``config.commit()`` and thus it is only recommended to be used at the
+  top-level of your app. See https://github.com/Pylons/pyramid/pull/2874
+
+- The threadlocals are now available inside any function invoked via
+  ``config.include``. This means the only config-time code that cannot rely
+  on threadlocals is code executed from non-actions inside the main. This
+  can be alleviated by invoking ``config.begin()`` and ``config.end()``
+  appropriately or using the new context manager feature of the configurator.
+  See https://github.com/Pylons/pyramid/pull/2989
 
 Bug Fixes
 ---------
 
-- Fixed bug in `proutes` such that it now shows the correct view when a class
-  and `attr` is involved.
-  See: https://github.com/Pylons/pyramid/pull/2687
-
-- Fix a ``FutureWarning`` in Python 3.5 when using ``re.split`` on the
-  ``format`` setting to the ``proutes`` script.
-  See https://github.com/Pylons/pyramid/pull/2714
-
-- Fix a ``RuntimeWarning`` emitted by WebOb when using arbitrary objects
-  as the ``userid`` in the ``AuthTktAuthenticationPolicy``. This is now caught
-  by the policy and the object is serialized as a base64 string to avoid
-  the cryptic warning. Since the userid will be read back as a string on
-  subsequent requests a more useful warning is emitted encouraging you to
-  use a primitive type instead.
-  See https://github.com/Pylons/pyramid/pull/2715
-
-- Pyramid 1.6 introduced the ability for an action to invoke another action.
-  There was a bug in the way that ``config.add_view`` would interact with
-  custom view derivers introduced in Pyramid 1.7 because the view's
-  discriminator cannot be computed until view derivers and view predicates
-  have been created in earlier orders. Invoking an action from another action
-  would trigger an unrolling of the pipeline and would compute discriminators
-  before they were ready. The new behavior respects the ``order`` of the action
-  and ensures the discriminators are not computed until dependent actions
-  from previous orders have executed.
-  See https://github.com/Pylons/pyramid/pull/2757
+- HTTPException's accepts a detail kwarg that may be used to pass additional
+  details to the exception. You may now pass objects so long as they have a
+  valid __str__ method. See https://github.com/Pylons/pyramid/pull/2951
+
+- Fix a reference cycle causing memory leaks in which the registry
+  would keep a ``Configurator`` instance alive even after the configurator
+  was discarded. Another fix was also added for the ``global_registries``
+  object in which the registry was stored in a closure preventing it from
+  being deallocated. See https://github.com/Pylons/pyramid/pull/2967
+
+- Fix a bug directly invoking ``pyramid.scripts.pserve.main`` with the
+  ``--reload`` option in which ``sys.argv`` is always used in the subprocess
+  instead of the supplied ``argv``.
+  See https://github.com/Pylons/pyramid/pull/2962
 
 Deprecations
 ------------
 
-Documentation Changes
----------------------
-- Add pyramid_nacl_session to session factories.
-  See https://github.com/Pylons/pyramid/issues/2791
+- Pyramid currently depends on ``plaster_pastedeploy`` to simplify the
+  transition to ``plaster`` by maintaining integrated support for INI files.
+  This dependency on ``plaster_pastedeploy`` should be considered subject to
+  Pyramid's deprecation policy and may be removed in the future.
+  Applications should depend on the appropriate plaster binding to satisfy
+  their needs.
 
-- Update HACKING.txt from stale branch that was never merged to master.
-  See https://github.com/Pylons/pyramid/pull/2782
+- Retrieving CSRF token from the session has been deprecated in favor of
+  equivalent methods in the ``pyramid.csrf`` module. The CSRF methods
+  (``ISession.get_csrf_token`` and ``ISession.new_csrf_token``) are no longer
+  required on the ``ISession`` interface except when using the default
+  ``pyramid.csrf.LegacySessionCSRFStoragePolicy``.
 
-- Updated Windows installation instructions and related bits.
-  See https://github.com/Pylons/pyramid/issues/2661
+  Also, ``pyramid.session.check_csrf_token`` is now located at
+  ``pyramid.csrf.check_csrf_token``.
 
-- Fix an inconsistency in the documentation between view predicates and
-  route predicates and highlight the differences in their APIs.
-  See https://github.com/Pylons/pyramid/pull/2764
+  See https://github.com/Pylons/pyramid/pull/2854 and
+  https://github.com/Pylons/pyramid/pull/3019
+
+Documentation Changes
+---------------------
 
-- Clarify a possible misuse of the ``headers`` kwarg to subclasses of
-  :class:`pyramid.httpexceptions.HTTPException` in which more appropriate
-  kwargs from the parent class :class:`pyramid.response.Response` should be
-  used instead. See https://github.com/Pylons/pyramid/pull/2750
+- Added the execution policy to the routing diagram in the Request Processing
+  chapter. See https://github.com/Pylons/pyramid/pull/2993